[00:00.640 --> 00:07.180]  Hello, DEF CON. My name is Andrea, and today I'm going to be talking to you about threat models
[00:07.180 --> 00:14.380]  for patient communities on social networks. I'm not going to spend too much time about me. This
[00:14.380 --> 00:22.840]  is my second year at DEF CON. I am a BRCA1 community data organizer, a mutant-turned
[00:22.840 --> 00:28.880]  security researcher. Last year, I presented on a major security flaw in Facebook's group
[00:28.880 --> 00:36.700]  architecture. I started a nonprofit called Life Collective and enough about me. I want to start
[00:36.700 --> 00:45.020]  with this photograph of Portland. It is a community under siege. And when we look at this photograph,
[00:45.020 --> 00:51.840]  depending on your politics, your ideology, your education level, your hopes, your fears,
[00:51.840 --> 00:57.860]  you might see different things from this photograph. But one thing we might agree on
[00:57.860 --> 01:06.960]  is that Portland is a community in turmoil. I look at this photo and I see thousands of
[01:06.960 --> 01:13.900]  beautiful points of light generated from cell phones, from people with varying levels of
[01:13.900 --> 01:21.280]  technical literacy, and I hope to God they understand how their data at this protest
[01:21.280 --> 01:30.340]  may be used against them. They are vulnerable, and in raising their voices, their data can be
[01:30.340 --> 01:37.960]  something that is weaponized. Well, how do we think about this in context of a digital community
[01:37.960 --> 01:47.280]  for health care or for health? Well, I'd like to start with just a quick framework for what I'm
[01:47.280 --> 01:52.360]  going to cover today on threat models and health social networks from a community's perspective.
[01:52.660 --> 02:00.460]  We often think about protecting systems and data and not necessarily about the communities or
[02:00.460 --> 02:07.640]  digital spaces where we reside. So in this talk, I'll cover how the nature of the adversary,
[02:07.640 --> 02:13.000]  when we think about threat models, is becoming difficult to detect. I'm going to talk about how
[02:13.000 --> 02:19.860]  nobody is immune to an infodemic, and especially as this COVID pandemic rages on. I'm going to talk
[02:19.960 --> 02:25.920]  a little bit about how influence can be deadly or it can save lives. And finally, ask what is
[02:25.920 --> 02:32.620]  the path forward from here? How do we survive an infodemic? Well, let me start with my village.
[02:32.620 --> 02:40.140]  This is a quick network graph of my own community, and just like that picture in Portland, I would
[02:40.760 --> 02:46.320]  kind of explain to everybody who isn't involved in patient communities or
[02:46.700 --> 02:54.280]  e-patient social networks, we are right now also a community under siege. We are losing access to
[02:54.280 --> 03:01.340]  care. We are losing access to meds. We are high-risk communities who have adverse or
[03:01.340 --> 03:07.040]  underlying conditions that make us more at risk to potentially dying from COVID.
[03:07.640 --> 03:16.140]  And these are work that spans to a much larger scale. In fact, there aren't a lot of statistics
[03:16.140 --> 03:24.200]  on this in the pandemic, but I'll give you or point you to a survey from 2018 from Hope Lab
[03:24.720 --> 03:33.080]  that shared 51% of young adults have tried to find people online with health concerns similar
[03:33.080 --> 03:39.600]  to their own. What we call this phenomenon is peer support, and there's a whole body of evidence
[03:39.600 --> 03:46.400]  around how peer support and health can have really beneficial effects. It can also have
[03:46.400 --> 03:52.180]  harmful effects when the tech platforms where we reside or the knowledge that we share can
[03:52.180 --> 04:01.740]  be weaponized against us. Further, it can be much more difficult when the nature of the adversary
[04:01.740 --> 04:08.760]  is becoming harder and harder to detect. Well, what has this looked like over the past couple
[04:08.760 --> 04:15.320]  of months? We have physicians at the steps of the Supreme Court in their white lab coats
[04:16.340 --> 04:23.920]  advocating for the use of hydroxychloroquine, which we know is not an evidence-based treatment
[04:23.920 --> 04:32.580]  for COVID-19. We have doctors flocking to TikTok. A lot of ways these doctors have the best of
[04:32.580 --> 04:41.180]  intentions, but when we encourage the sharing of knowledge in a health community, we are
[04:42.000 --> 04:49.520]  inevitably exposing the people who engage at that level on these platforms to have those data
[04:49.520 --> 04:56.840]  weaponized against them. Well, the nature of the adversary is also becoming difficult to detect
[04:57.240 --> 05:04.520]  because the leaders and scientists who have traditionally been in these positions of power
[05:05.000 --> 05:13.500]  are in some ways enabling disinformation. This is a picture of George Church who recently launched
[05:13.900 --> 05:21.840]  a dating app based on genomics and here he is snorting his own vaccine that is not FDA approved.
[05:21.840 --> 05:29.320]  And it begs the question, how are we replacing science with ideology? How are these disinformation
[05:30.280 --> 05:36.360]  narratives targeting vulnerable groups? Well, more and more it's starting to feel like no one
[05:36.360 --> 05:47.430]  is coming to save us. Well, further, no one is immune to ad targeting or disinformation
[05:48.410 --> 05:54.570]  on these tech platforms where we reside. I highly encourage you to take a look at this
[05:55.490 --> 06:02.650]  recent news article about Facebook and direct-to-consumer pharmaceutical ads.
[06:02.650 --> 06:08.630]  Here's just one great example of a direct-to-consumer ad. I have to laugh at this one.
[06:08.630 --> 06:16.150]  For anybody who knows about GINA, the Genetic Information Non-Discrimination Act, here we have
[06:16.290 --> 06:23.550]  a direct-to-consumer ad that is advertising life insurance based on your genome. Well,
[06:23.550 --> 06:31.690]  there's a problem with that. GINA, the Genetic Information Non-Discrimination Act,
[06:31.690 --> 06:39.030]  has one loophole that allows companies to discriminate, and that one loophole is for
[06:39.030 --> 06:48.670]  life insurance companies. So I ask, or it begs the question, how far have we gotten from serving
[06:48.670 --> 06:55.750]  and the people that reside on these platforms with good knowledge in a way that is going to
[06:55.750 --> 07:01.670]  protect them instead of use health or genetic information against people?
[07:03.450 --> 07:11.290]  Influence can be deadly. I'm going to give you a couple of examples here. One is making the round
[07:11.290 --> 07:18.090]  lately in Facebook groups. It's a black salve treatment, a fake cancer cure, and this is what
[07:18.090 --> 07:27.850]  happens when you apply a snake oil treatment that essentially burns your skin and is being
[07:28.890 --> 07:36.130]  peddled by marketers in these different groups. Some of them are people joining closed groups
[07:37.030 --> 07:45.170]  under the guise of being a person offering support when really they have an interest in
[07:45.170 --> 07:53.010]  peddling snake oil or other types of treatments. Parents are poisoning their children with bleach
[07:53.010 --> 08:01.170]  in order to cure autism. And we could teach the debate all we want on the anti-vax movement.
[08:01.530 --> 08:10.130]  I'll just offer up this one example of a mom not giving her son Tamiflu, and he later died.
[08:10.130 --> 08:17.370]  There are more and more examples popping up like this all over the place, and I could go on and on.
[08:18.330 --> 08:27.130]  So in one aspect, there is a bright spot here when we think about social networks coming together
[08:27.130 --> 08:33.390]  and doing so in a way that is evidence-based. I want to give this one example of a community
[08:33.870 --> 08:43.150]  within my own ecosystem of breast cancer social networks that actually came together in a good
[08:43.150 --> 08:53.510]  way. This was a group of women who organized around a rare disorder called BILCL, which is
[08:53.510 --> 08:59.810]  breast implant illness and a rare form of leukemia that was being caused by a certain type of
[08:59.810 --> 09:06.330]  implant that a lot of women who are going through breast reconstruction or bilateral
[09:06.330 --> 09:14.590]  mastectomies were opting to have. Well, as it turns out, the data on adverse events for
[09:15.530 --> 09:22.010]  this particular type of implant were not being reported back to the FDA. And so these women
[09:22.010 --> 09:30.190]  banded together on very large Facebook groups. They worked with physicians, and the outcome of
[09:30.190 --> 09:36.530]  that was allergen was cited, and there was an FDA warning, and more transparency in different
[09:36.530 --> 09:44.050]  processes around post-approval study requirements for breast implants. So there can be good outcomes
[09:44.050 --> 09:51.130]  here when we think about how social networks come together. It's just a double-edged sword.
[09:52.010 --> 09:57.650]  Peer support and the lifelines I've seen over the many years that I've been on social media
[09:58.070 --> 10:06.050]  can be life-saving. They can change things, but we have to recognize that there are good effects
[10:06.050 --> 10:12.910]  and bad effects. We have to bolster the good while really acknowledging the harm and asking ourselves,
[10:12.910 --> 10:20.610]  how do we re-ground in ethics, and how do we first do no harm? Well, what does an infodemic
[10:20.610 --> 10:28.650]  look like when we zoom out and take a look at how social networks, bots, and disinformation
[10:28.650 --> 10:40.770]  campaigns target vulnerable communities at scale? Here is a quick snapshot of known conspiracy
[10:40.770 --> 10:48.610]  theories and disinformation hashtags. And I'm just going to give this one example and move my
[10:48.610 --> 10:57.290]  cursor over here at the right so you can see QAnon in red. This is a cluster of the QAnon
[10:57.290 --> 11:03.530]  hashtag tweeting about COVID. This comes from a really great open-source project called Project
[11:03.530 --> 11:11.110]  Domino. I invite you to reach out to Leo Mayerovich, who is the co-founder of Grasphistory,
[11:11.110 --> 11:18.510]  and I'm on their COVID hunting team in Project Domino, and it's just a really fantastic group.
[11:19.310 --> 11:25.590]  Banded together and started visualizing what these disinformation networks, what these bot
[11:25.590 --> 11:34.770]  networks look like, and thinks about how their behavior can be clustered together in the types
[11:34.770 --> 11:40.590]  of language that are being used or the number of tweets per day that might be a pattern that
[11:40.590 --> 11:47.950]  is statistically significant. Well, I look at this and I think, well, my gosh, this is
[11:48.230 --> 11:56.550]  a snapshot of the infodemic. This is what a biological process looks like on a social network.
[11:56.550 --> 12:04.250]  To me, it looks like social networks not being able to detect and respond effectively to these
[12:04.250 --> 12:09.730]  campaigns in a way that's getting ahead of the infodemic, and that's one of the reasons why we're
[12:09.730 --> 12:19.090]  not flattening the curve. Here's another picture that I think is really important. This is another
[12:19.090 --> 12:26.990]  one from Project Domino. This is roughly 211,000 tweets from 50 COVID-related misinformation
[12:26.990 --> 12:34.530]  tag campaigns. I want to give out a shout out to Cody Webb who helped generate this.
[12:34.530 --> 12:44.090]  And once again, you know, this is what pollution of information in social networks when people are
[12:44.090 --> 12:50.610]  going through trauma looks like at scale. When we have bot networks, when we have sock puppets
[12:50.610 --> 12:59.270]  attacking and just spewing out the wrong information to vulnerable people who are
[12:59.270 --> 13:04.470]  seeking knowledge, evidence-based knowledge, and they don't know who and what to believe anymore.
[13:07.480 --> 13:14.920]  So where does this leave us? It leaves us leading the world in not flattening the curve.
[13:14.920 --> 13:23.280]  Here is daily confirmed cases, a five-day moving average of new cases where we are
[13:24.040 --> 13:32.620]  hitting between 60 and 70,000 on our five-day moving average of new cases. Users really don't
[13:32.620 --> 13:38.380]  have rights when it comes to health privacy on social networks, and that in of itself is a
[13:38.380 --> 13:44.680]  threat model we need to think about. Health information can be used to deny jobs, can be used
[13:44.680 --> 13:56.100]  to deny health care, and the one agency that we have put a complaint forth to is the FTC. Well,
[13:56.100 --> 14:02.140]  I think it's important to think about this really great paper from Nature Medicine called Privacy in
[14:02.140 --> 14:10.960]  the Age of Medical Big Data. It shows or paints a picture of the big data policy landscape as an
[14:10.960 --> 14:19.140]  iceberg. Above the water, at the tip of the iceberg, we have all HIPAA-covered entities where so much in
[14:19.140 --> 14:24.980]  cybersecurity, when we talk about protecting devices, when we talk about health data breaches,
[14:24.980 --> 14:34.820]  that's above the iceberg. Well, below the iceberg is a lot more. Not only has the FTC failed
[14:35.280 --> 14:40.440]  to enforce or protect the health privacy on social networks, and I know I'm blocking this,
[14:40.440 --> 14:49.640]  so I'm going to move over here. There we go. The FTC had a settlement back in 2019, a $5 billion
[14:49.640 --> 14:57.640]  settlement, and we brought a complaint to the FTC under this PHR breach notification rule.
[14:57.640 --> 15:04.340]  It's the one rule in the one agency outside of Health and Human Services that has authority to
[15:04.340 --> 15:13.720]  enforce any kind of consumer protection for health information. And so we went to them and said,
[15:13.720 --> 15:19.040]  you know, Facebook has a major data breach that has to do with health information, and there was
[15:19.780 --> 15:23.040]  basically no response in this $5 billion settlement.
[15:24.620 --> 15:30.680]  Meanwhile, health insurers are vacuuming up details about us. It can raise our rates.
[15:31.300 --> 15:37.680]  Any health information that you share on a social network can be used by data aggregators and
[15:37.680 --> 15:46.660]  packaged up to basically be used to discriminate against you, and I want everybody just to be very
[15:46.660 --> 15:52.920]  careful about that. For me, as somebody who's been on social media for 10 years, the genie is already
[15:52.920 --> 15:59.540]  out of the bottle. And I recognize that when people go through a new diagnosis, they're seeking
[16:00.240 --> 16:05.540]  support and information, but we don't have any safe harbors. We don't have any safe spaces
[16:06.380 --> 16:13.340]  anymore to talk about our health, and that's a problem. Where do we go from here?
[16:14.060 --> 16:20.580]  I think we need to lock arms, and I'm going to take a page from I Am the Cavalry and say,
[16:20.580 --> 16:27.780]  no one is coming to save us. I've tried. Nobody's coming to save us. The only people who are coming
[16:27.780 --> 16:33.940]  to save us are the ones directly affected, and I really hope that I can give a meaningful call
[16:33.940 --> 16:41.640]  to action to the folks who are listening today. I need the cybersecurity community. I need the
[16:41.640 --> 16:48.780]  national security community. I need healthcare leaders and experts to come and lock arms with
[16:48.780 --> 16:54.800]  these patient communities and lift our voices up. If we don't do that, if we don't meet people
[16:54.800 --> 17:01.680]  where they are and start giving them meaningful rights and protections, this harm and damage is
[17:01.680 --> 17:06.780]  going to continue, and we are not going to flatten the curve. Well, what does that look like, and how
[17:06.780 --> 17:12.520]  are we doing this through the Light Collective? We have a very ambitious roadmap. We are working
[17:12.520 --> 17:18.400]  on a framework for collective self-governance that is driven by patient communities that
[17:18.400 --> 17:24.560]  reside on social networks. We are developing best practices to protect patient support groups
[17:25.490 --> 17:32.360]  that already exist on Facebook and Twitter and asking ourselves, well, if we are in such a
[17:32.360 --> 17:38.520]  hostile environment, maybe we need to leave the platform. How do we do that? We're looking at
[17:38.520 --> 17:45.210]  legal frameworks like a data trust. We're looking at cyber hygiene best practices, onboarding mentors,
[17:45.210 --> 17:52.330]  and I invite you to get involved, to donate. We have weekly events, and we would love to see you
[17:52.330 --> 18:00.690]  there. Finally, thank you for your time. Join us. You know where to find me. Come follow Be Like
[18:00.690 --> 18:08.110]  Light, and we will see you on the internet. Bye for now.
